Apple Java update removes Flashback malware

Apple on Thursday released a software update to remove Flashback, the most notorious Mac trojan to date, which reportedly affected some 600,000 Macs worldwide.

According to Apple, the Java security update removes the "most common variants" of the Flashback malware and offers further protection from future iterations by configuring the web plug-in to disable the automatic execution of Java applets.

From the release notes:

Quote:

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

This update is recommended for all Mac users with Java installed.

The Flashback trojan created a botnet of more than 600,000 Macs around the world and tracked web browsing information, user IDs and passwords. By exploiting a Java security hole, the malicious software was able to install itself automatically on a user's computer after they visited an offending website. Flashback was first discovered last year and evolved into the self-installing version seen today.

The download, which supersedes recent Java patches, is available via Software Update and comes in at 66.8MB.

I was initially infected by this Flashback trojan on my Mac, and even the manual removal instructions did not get all of the trojan's files, which still tried to send info out over the Internet, but thanks to the Little Snitch app for finding these rogue infected files. I have installed this Java update with no problems. I hope I never see this trojan again on my Mac!

I was initially infected by this Flashback trojan on my Mac, and even the manual removal instructions did not get all of the trojan's files, which still tried to send info out over the Internet, but thanks to the Little Snitch app for finding these rogue infected files. I have installed this Java update with no problems. I hope I never see this trojan again on my Mac!

Interesting...it was my understanding that, according to F-secure, Flashback wouldn't install itself if you had Little Snitch (or a host of other programs). Am I reading this wrong?

I know everyone wants to blame Java for this vulnerability and they should, however, allowing an application to auto install by visiting a website? Give me a break. That is something that neither the browser nor the OS should allow. Why they let a browser plugin write anything to disk other than a cookie or an html5 db, I do not know.

I was initially infected by this Flashback trojan on my Mac, and even the manual removal instructions did not get all of the trojan's files, which still tried to send info out over the Internet, but thanks to the Little Snitch app for finding these rogue infected files. I have installed this Java update with no problems. I hope I never see this trojan again on my Mac!

It will be interesting to see if Apple can find a way to prevent future threats without resorting to using an active or passive virus/trojan scanner. Locking down the execution of applications to signed apps is one step. Not sure how that will apply to Flash or Java applications started from the browser or malicious code somehow run within the browser.

I know everyone wants to blame Java for this vulnerability and they should, however, allowing an application to auto install by visiting a website? Give me a break. That is something that neither the browser nor the OS should allow. Why they let a browser plugin write anything to disk other than a cookie or an html5 db, I do not know.

Yeah, there should be multi-layer protection here. Java should restrict apps, the OS should sandbox Java, and Safari should not be executing Java apps/applets without specific user approval.

Interesting...it was my understanding that, according to F-secure, Flashback wouldn't install itself if you had Little Snitch (or a host of other programs). Am I reading this wrong?

I was infected via the Java vulnerability. I used the manual Flashback trojan removal instructions, was reported as infected, and uninstalled the files F-secure recommended. Re-ran the instructions twice and came up clean. Later, someone recommended I try Little Snitch and I installed, and immediately found 2 infected program files trying to send data out to suspicious web sites. Googled the file names and found other Mac users had these same files with the trojan also, so I manually removed these 2 files. Have run Little Snitch ever since and have had no more trojan activity reported.

Also, Apple's Java update and trojan removal tool that was released today did not report the trojan on my Mac, although several other people saw a trojan detected error message like this upon installing the update from Apple today:

They say to also deactivate Java, does that include clicking off both Java and Java Script from Safari Preferences or just Java?

Despite their name similarity, Java and JavaScript are not related in any way really. JavaScript was named that because of marketing reasons, which to this day confuses most users because it seems absurd that two things with such clearly related names have no relation.

I'm skeptical of the whole thing. The original claim was that there were 600,000 infected Macs. Early today (before Apple had released a fix), the claim was that there were 230,000 to 270,000 infected Macs.

So did 60% of the Macs heal themselves? I think it's extremely unlikely that 60% of infected Mac users went through the trouble of fixing the problem manually. Far more likely that the numbers are wrong.

"I'm way over my head when it comes to technical issues like this"Gatorguy 5/31/13

This is realistic though. HTML/Javascript/CSS are a lot more powerful than they used to be, so Applets shouldn't be required as much these days. And if you really do need local filesystem access, then write an app and put it in the App Store. If you can write Java you can write ObjC.

I'm skeptical of the whole thing. The original claim was that there were 600,000 infected Macs. Early today (before Apple had released a fix), the claim was that there were 230,000 to 270,000 infected Macs.

So did 60% of the Macs heal themselves? I think it's extremely unlikely that 60% of infected Mac users went through the trouble of fixing the problem manually. Far more likely that the numbers are wrong.

Likely, but we don't know and we never will. As I said in the other discussion, I got a false alarm from the online tool of Kaspersky (I know that I am not infected since I disabled Java years ago and the scan tools show me clean). So the whole affair of counting the number of infected Macs looks at least suspicious.

Not nearly good enough. Others, with far fewer resources beat them. Apple need a pro-active security team and a dedicated Mac OS security app. After all, there's an app for absobloodylutely everything else on the App Store. The larger the Mac market share the more visible Apple needs to be with efforts to protect its users and the consequences resulting from their customers using Apple computers. MS are well ahead with MSE and the package is amongst the best available for Windows.

Apple have clearly acquired far more money than sense.

Few more blunders like this and AAPL will be 50% down from where it is now. All this insularity is SJ's fault and has become a cancerous disease at Apple.

Not nearly good enough. Others, with far fewer resources beat them. Apple need a pro-active security team and a dedicated Mac OS security app. After all, there's an app for absobloodylutely everything else on the App Store. The larger the Mac market share the more visible Apple needs to be with efforts to protect its users and the consequences resulting from their customers using Apple computers. MS are well ahead with MSE and the package is amongst the best available for Windows.

Apple have clearly acquired far more money than sense.

Few more blunders like this and AAPL will be 50% down from where it is now. All this insularity is SJ's fault and has become a cancerous disease at Apple.

Delusional fear-mongering.

It's a trojan. We get a new one every 2 years or so.

The vast majority of users aren't affected. Still no tsunami of malware that was always predicted by the frustrated and envious.

MS *needs* be ahead of everyone else because they foisted technological swiss cheese on hapless users for years, resulting in what, over 100,000 pieces of malware for Windows? That might even be a conservative figure.

MS needs to be ahead because they screwed everyone. They're responsible for lord only knows how much data loss over a period of what, 20 or more years? Apple's current approach is perfectly in line with the threat level to Macs, which despite market share increases is still the same as it was 4-5 years ago.

Please stop posting misinformation. Even if it is just your opinion, make sure it's informed, rather than sensationalized.

I'm skeptical of the whole thing. The original claim was that there were 600,000 infected Macs. Early today (before Apple had released a fix), the claim was that there were 230,000 to 270,000 infected Macs.

So did 60% of the Macs heal themselves? I think it's extremely unlikely that 60% of infected Mac users went through the trouble of fixing the problem manually. Far more likely that the numbers are wrong.

Media-frenzy + FUD by Apple competitors and haters (which is often responsible for the media frenzy.) The latter doesn't have what it takes to compete, and their user-base ends up with perennial Apple-envy.

Here's an idea for Apple's competitors: make products that don't suck ass and which consumers will want to buy, and buy more of.

Likely, but we don't know and we never will. As I said in the other discussion, I got a false alarm from the online tool of Kaspersky (I know that I am not infected since I disabled Java years ago and the scan tools show me clean). So the whole affair of counting the number of infected Macs looks at least suspicious.

So did I. It said both my MacBook Air and iMac had the virus, but ClamXav, Terminal, and this other piece of software all said I was clear.

Not nearly good enough. Others, with far fewer resources beat them. Apple need a pro-active security team and a dedicated Mac OS security app. After all, there's an app for absobloodylutely everything else on the App Store. The larger the Mac market share the more visible Apple needs to be with efforts to protect its users and the consequences resulting from their customers using Apple computers. MS are well ahead with MSE and the package is amongst the best available for Windows.

Apple have clearly acquired far more money than sense.

Few more blunders like this and AAPL will be 50% down from where it is now. All this insularity is SJ's fault and has become a cancerous disease at Apple.

Before you go and get yourself all worked up and throw a fit, take a deep breath and just calm down. Things are not as bad as you seem to think they are. You should really be thankful that you are working with the best OS out there. It is just a trojan attacking a java vulnerability. This trojan is actually rated as a very low threat.

Actually, no that is not the solution. Java remains enabled in the browser. What it does is when you load a web page with a Java applet, it asks you if you want to load it or not load it. Think more Click-To-Flash. There are settings in the Java preferences to override this if you use Java applets often, which you often do in enterprise environments that still tend to use Java. If a future vulnerability attempts to use a drive by attack methodology again, you will at least get a warning the applet is trying to run.

Likely, but we don't know and we never will. As I said in the other discussion, I got a false alarm from the online tool of Kaspersky (I know that I am not infected since I disabled Java years ago and the scan tools show me clean). So the whole affair of counting the number of infected Macs looks at least suspicious.

When you visit that page using an iPad it tells you

"We have checked the version of Java installed on your computer and discovered that you are running a vulnerable version. You should update as soon as possible."

The vast majority of users aren't affected. Still no tsunami of malware that was always predicted by the frustrated and envious.

MS *needs* be ahead of everyone else because they foisted technological swiss cheese on hapless users for years, resulting in what, over 100,000 pieces of malware for Windows? That might even be a conservative figure.

MS needs to be ahead because they screwed everyone. They're responsible for lord only knows how much data loss over a period of what, 20 or more years? Apple's current approach is perfectly in line with the threat level to Macs, which despite market share increases is still the same as it was 4-5 years ago.

Please stop posting misinformation. Even if it is just your opinion, make sure it's informed, rather than sensationalized.

Where did I misinform?
A Trojan was successfully vectored onto a large number of Macs.
Apple were slow to patch the vulnerability.
Apple does not have a publicly visible or accessible security team.
It need only be so much window dressing...but, it needs to be there.
This will happen again and again.
The misinformation here is people stating the higher number of problems that Windows OS's experience. I couldn't give a flying fig about PC users.
My contention is that Apple need to be far more open and reactive when Trojans, Viri, malware are found on the Mac.
As far as I know, none of the UK press were able to elicit a single comment about this from Apple.

They do, they have security options in their bug reporter, which get fed directly to their security people.

Although the update is late, they at least did a good job with it as it will now prevent future behind-the-scenes installations.

I'd like to see a further step that would prevent this kind of software being installed at all. Someone could bundle this sort of thing with a 3rd-party software download (think infected Macupdate download) and it could patch the browser.

Count me as one of the 600,000. I was infected. I'm normally pretty cautious too.

I thought that I was being cautious too, but I still got infected with this trojan.

This Flashback trojan has several variants, some of which were recently released. The "Terminal removal detection and removal instructions" and the list of programs that the trojan would refuse to install upon detecting is outdated in my opinion, as confirmed by so many people that thought "they were clean" of this trojan, yet Apple's latest Java update notified them that it had detected and removed the Flashback trojan code.

New variants of this trojan seem to be installing regardless of what other programs are on the user's Mac, and seem to be hiding themselves from being removed and/or detected by the Terminal Trojan Removal Instructions that previously has been released by F-Secure and others.

I had this trojan when it first came out, and it exploited the Java vulnerability to get into my Mac without me knowing about it. I started seeing strange things happening in the background (like a lot of data transfer being reported by my ISP) even after I followed the Terminal Removal instructions from F-Secure.

Someone suggested I install "Little Snitch" which monitors and reports on any program out of the ordinary trying to send data out onto The Internet from my Mac. I installed "Little Snitch" and it reported that several Flashback trojan programs masquerading as hidden files and/or configuration files for valid Mac apps were trying to send data out to strangely named botnet servers without my consent. I Googled the domains they were trying to access and the filenames the trojan was masquerading as, and found on Apple discussion forums that other others were seeing the same trojan behavior with these infected files and botnet domains/websites.

I manually removed these trojan infected hidden files and configuration files, and have had no more problems reported by Little Snitch. Also Apple's latest Java update did not report that it found any traces of this Flashback trojan on my Mac, when I installed it, unlike many other people who reported that the update said that it had removed infected Flashback files from their system.

So I believe that every Mac user running Lion should install Apple's latest Java update (for Lion), and all Mac users should install the Little Snitch app (which runs for 3 hours free in demo mode). It can be restarted after 3 hours as many times as necessary. This way you should detect if any remnants of this trojan are trying to run and contact their command and control botnet servers.

All Mac users should also verify that Java is disabled from running in Safari's Security Preferences panel, as an extra precaution.

Regardless, I ran the update and have done the discovery steps of the manual removal progress, and found nothing.

Java is not installed by default on Lion. Only power users really need Java, and if you are a power user infected by flashback you likely let your guard down big time.

I remember seeing screenshots of the fake flash installer & thinking right away it looks nothing like Adobe's legitimate installer, should have been very easy to spot something was wrong.

What's really frustrating is that for years software developers have had the ability to tag their installers with an ssl cert yet many still use the ridiculous drag & drop install method that went away with Tiger. The reason we have so many issues with malware on both Windows & OS X is primarily because we cater too much to legacy developers. Update your code already, we're sick of dealing with the mess.